Dropbox client reverse engineered, user files accessed

A pair of security researchers have some worrying news for Dropbox users: they’ve managed to reverse engineer the desktop app. Once they laid its Python-powered inner workings bare, the real fun began.

The duo of Dhiru Kholia and Przemyslaw Wegrzyn were then able to bend Dropbox to their will. They managed to intercept SSL traffic flowing between the Dropbox client and its cloud servers and even gain access to user accounts.

Wrong. Kholia and Wegrzyn were able to bypass two-factor authentication. They were also able to hijack a user’s account by clicking the launch Dropbox website link from the Windows system tray icon. Fortunately, that particular hole was patched in a recent update.

It’s not all doom and gloom, however. With the Python code exposed, it’s possible that some enterprising Dropbox users could hack together an awesome open-source client with all kinds of cool additional functionality.

It’s also possible — and probably much more likely — that criminal types might code an impostor Dropbox app that steals users’ files. That’s a frightening prospect when nearly one billion files are handled by Dropbox every day.

Fending off reverse engineering attempts is a cat-and-mouse game. Now that Dropbox appears to have lost, it will be interesting to see how the company responds.

It’s not as though there’s any truly immediate danger to Dropbox users. If you’re running the latest version of the official client, you should be perfectly safe. If, however, you’ve installed some kind of “enhanced” app that you discovered in some shady corner of the Internet… well, you’re probably screwed.

Update 8/29/13: We just received this statement from a Dropbox spokesperson:

We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.